如何撤销身份验证令牌? [英] How to revoke an authentication token?
问题描述
现在我想从我的系统中删除这个帐户,有没有一种方法来撤销我给客户端的身份验证令牌?
我不认为这是可能的,我肯定可以解决这个问题(由于没有这么高的到期时间),但我只是想确保我没有错过文档中的某些东西。
你无法真正撤消特定的标记(除了生成标记的秘密无效之外,也会使该秘密发出的所有其他标记无效 - 可能不是你想要的)但是,您可以依赖特定于令牌的某些信息(也许您在令牌中包含一个唯一的用户标识作为数据),并更新您的安全规则以拒绝任何操作那匹配那个VA lue。
Say I generated an authentication token, and to save on processing and remote calls, I've set it's expiration data some 30 days in the future.
Now I want to remove this account from my system, is there a way to revoke the authentication token I have given the client?
I don't think that's possible currently, and I can certainly work around that (by not having such high expiration times mostly), but I just wanted to make sure I didn't miss something in the docs.
You can't really revoke that specific token (outside of invalidating the secret that generated the token, but that will invalidate all other tokens issued by that secret too - probably not what you want).
You can, however, rely on some information that's specific to the token (perhaps you included a unique user ID as data in the token) and update your security rules to reject any operations that match that value.
这篇关于如何撤销身份验证令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!